From 38688dd6c654eebe0842a3c034fbaee49958eb42 Mon Sep 17 00:00:00 2001
From: Jonathan Shook <jshook@gmail.com>
Date: Fri, 11 Mar 2022 10:00:23 -0600
Subject: [PATCH] fix path traversal so static analysis can recognize it

---
 .../java/io/nosqlbench/engine/rest/services/WorkSpace.java     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/engine-rest/src/main/java/io/nosqlbench/engine/rest/services/WorkSpace.java b/engine-rest/src/main/java/io/nosqlbench/engine/rest/services/WorkSpace.java
index 7f9b444c5..572511741 100644
--- a/engine-rest/src/main/java/io/nosqlbench/engine/rest/services/WorkSpace.java
+++ b/engine-rest/src/main/java/io/nosqlbench/engine/rest/services/WorkSpace.java
@@ -151,6 +151,9 @@ public class WorkSpace {
     }
 
     private void assertLegalWorkspacePath(Path target) {
+        if (!target.normalize().startsWith(this.workspacePath)) {
+            throw new RuntimeException("workspace path '" + target + "' contains path traversal");
+        }
         if (target.toString().contains("..")) {
             throw new RuntimeException("Possible path injection:" + target);
         }